Posts

Showing posts from June, 2020

Threat Actors Phishing Airbnb Users For Fraud

Image
During my daily monitoring, I uncovered a number of Airbnb phishing pages harvesting user account credentials. This got me thinking about the types of fraud targeting Airbnb users and the hosts.  Airbnb is not a typical target for phishing, compared to the vast number of phishing pages targeting banks, HMRC, DVLA, and mobile carriers. However, it can be a profitable venture for cybercriminals if they can phish the right account.  I also identified one phishing page that was aiming to bypass SMS two-factor authentication (2FA). The first page takes the email and password (see here ) and the second acquires the SMS code (see here ). For this attack, the operators only have a limited amount of time to swipe the credentials and input the 2FA code before it expires (typically around 10 minutes). If successful, the attackers are fully authenticated and can change the password. Indicators of Compromise (IOCs):  Type Indicator   Domain        abn.co-host-listing-49461[.]casa  Domain   abn.co-h

CobaltStrike: The Penetration Testing Framework & Our Adversaries

Image
CobaltStrike is an advanced penetration testing framework and threat emulation software that was built by Red Teamers for Red Teamers, but is more than often used by our adversaries too. It was designed as a full-scope engagement tool that is supposed to be used to improve security of organisations by identifying weaknesses. However, because it is extremely “hacker friendly” it has been stolen and adopted by organised cybercrime gangs and advanced persistent threat (APT) groups alike.  CobaltStrike itself is an interesting tool that was built on top of and expands upon the Metasploit framework. It has streamlined penetration testing by automating the Metasploit processes and adding additional modules. Key features of CobaltStrike (mainly taken from the website): Reconnaissance - profile systems and find their weaknesses. Footprint Operating Systems and discover running services and applications. Access - credential access, bypass authentication, Man-in-the-Middle attacks, social eng

Deep-dive: The DarkHotel APT

Image
UPDATE - 29.06.2022: On 28 June 2022, NKNews.org cited this blog in their research on DarkHotel. In November 2021, I decided to revisit this blog and rethink some of the things I said. Parts of this blog are not what I would currently consider analytically sound. This was written over 2 years ago and my skills and my perspective on this group have changed a lot since then. 📝 I decided to review and rethink some of the things I wrote in one of my more popular blogs, which was received well(ish) but was not what I would currently consider analytically sound. This was written nearly 1.5 yrs ago and my perspective has changed 1/7 https://t.co/Nk3amxHHiQ — Will (@BushidoToken) November 29, 2021 Originally published on 14.06.2020 PART 1: DARKHOTEL DarkHotel is a sophisticated and active advanced persistent threat (APT) group. It’s highly capable and is known for finding and taking advantage of previously unknown vulnerabilities in common software also known as a 0day. It is a well-est

The Joker Trojan plays the Google PlayStore

Image
The Joker Trojan (also known as the Bread Trojan) is an Android dropper with spyware capabilities. It is often hidden within advertisements to trick users into clicking on and downloading the malware. Usually, it only targets SIM cards with specific country codes, geo-fencing the victims. It is used by financial attackers to harvest a user's device information, contact list, text messages, and will sign them up to premium subscriptions. APK Lab recently disclosed that two available apps that contain the Joker Trojan managed to sneak past protection systems and were uploaded to the Google Play Store. The apps containing the Trojan, called ‘Speed Message’ and ‘Botmatic Messages’, currently have over 11,000 installs combined: VirusTotal Graph: Once installed, the malware contacts the attacker’s C2 server and pulls the malicious payload. Further investigation into the IP address of the attacker’s C2 server led me to find three more apps, called ‘Playful Game Station’, ‘Watch SMS’,